10 files changed, 1481 insertions, 0 deletions
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
new file mode 100644
index 00000000..57f82396
--- /dev/null
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -0,0 +1,128 @@
+.. _examples-azure-vpn-bgp:
+
+Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+------------------------------------------------------------
+
+This guide shows an example of a route-based IKEv2 site-to-site VPN to
+Azure using VTI and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway public IP          |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4           |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: none
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: none
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure a VTI with a dummy IP address
+
+.. code-block:: none
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: none
+
+  set firewall options interface vti1 adjust-mss 1350
+
+- Configure the VPN tunnel
+
+.. code-block:: none
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach Azure's BGP listener
+
+.. code-block:: none
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+
+- Configure your BGP settings
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+- **Important**: Disable connected check \
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
new file mode 100644
index 00000000..cbe9a4d9
--- /dev/null
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -0,0 +1,155 @@
+.. _examples-azure-vpn-dual-bgp:
+
+Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+----------------------------------------------------------------------
+
+This guide shows an example of a redundant (active-active) route-based IKEv2
+site-to-site VPN to Azure using VTI
+and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 1 public IP        |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 2 public IP        |  203.0.113.3        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4,10.0.0.5  |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: none
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: none
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure two VTIs with a dummy IP address each
+
+.. code-block:: none
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Primary Tunnel'
+
+  set interfaces vti vti2 address '10.10.1.6/32'
+  set interfaces vti vti2 description 'Azure Secondary Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: none
+
+  set firewall options interface vti1 adjust-mss 1350
+  set firewall options interface vti2 adjust-mss 1350
+
+- Configure the VPN tunnels
+
+.. code-block:: none
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach both Azure's BGP listeners
+
+.. code-block:: none
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+
+- Configure your BGP settings
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+  set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'
+
+- **Important**: Disable connected check, otherwise the routes learned
+  from Azure will not be imported into the routing table.
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
+  set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check
diff --git a/docs/configexamples/bgp-ipv6-unnumbered.rst b/docs/configexamples/bgp-ipv6-unnumbered.rst
new file mode 100644
index 00000000..283dcd45
--- /dev/null
+++ b/docs/configexamples/bgp-ipv6-unnumbered.rst
@@ -0,0 +1,171 @@
+.. _examples-bgp-ipv6-unnumbered:
+
+VyOS BGP ipv6 unnumbered with extended nexthop
+----------------------------------------------
+
+General infomration can be found in the :ref:`routing-bgp` chapter.
+
+Configuration
+^^^^^^^^^^^^^
+
+- Router A:
+
+.. code-block:: none
+
+  set protocols bgp 65020 address-family ipv4-unicast redistribute connected
+  set protocols bgp 65020 address-family ipv6-unicast redistribute connected
+  set protocols bgp 65020 neighbor eth1 interface v6only
+  set protocols bgp 65020 neighbor eth1 interface v6only peer-group 'fabric'
+  set protocols bgp 65020 neighbor eth2 interface v6only
+  set protocols bgp 65020 neighbor eth2 interface v6only peer-group 'fabric'
+  set protocols bgp 65020 parameters bestpath as-path multipath-relax
+  set protocols bgp 65020 parameters bestpath compare-routerid
+  set protocols bgp 65020 parameters default no-ipv4-unicast
+  set protocols bgp 65020 parameters router-id '192.168.0.1'
+  set protocols bgp 65020 peer-group fabric address-family ipv4-unicast
+  set protocols bgp 65020 peer-group fabric address-family ipv6-unicast
+  set protocols bgp 65020 peer-group fabric capability extended-nexthop
+  set protocols bgp 65020 peer-group fabric remote-as 'external'
+
+- Router B:
+
+.. code-block:: none
+
+  set protocols bgp 65021 address-family ipv4-unicast redistribute connected
+  set protocols bgp 65021 address-family ipv6-unicast redistribute connected
+  set protocols bgp 65021 neighbor eth1 interface v6only
+  set protocols bgp 65021 neighbor eth1 interface v6only peer-group 'fabric'
+  set protocols bgp 65021 neighbor eth2 interface v6only
+  set protocols bgp 65021 neighbor eth2 interface v6only peer-group 'fabric'
+  set protocols bgp 65021 parameters bestpath as-path multipath-relax
+  set protocols bgp 65021 parameters bestpath compare-routerid
+  set protocols bgp 65021 parameters default no-ipv4-unicast
+  set protocols bgp 65021 parameters router-id '192.168.0.2'
+  set protocols bgp 65021 peer-group fabric address-family ipv4-unicast
+  set protocols bgp 65021 peer-group fabric address-family ipv6-unicast
+  set protocols bgp 65021 peer-group fabric capability extended-nexthop
+  set protocols bgp 65021 peer-group fabric remote-as 'external'
+
+Results
+^^^^^^^^^^^^^
+
+- Router A:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show interfaces
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  eth0             62.104.XXX.XXX/24                 u/u
+  eth1             -                                 u/u
+  eth2             -                                 u/u
+  lo               127.0.0.1/8                       u/u
+                   192.168.0.1/32
+                   ::1/128
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip route
+  Codes: K - kernel route, C - connected, S - static, R - RIP,
+         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+         T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+         F - PBR, f - OpenFabric,
+         > - selected route, * - FIB route
+
+  S>* 0.0.0.0/0 [210/0] via 62.104.XXX.XXX, eth0, 03:21:53
+  C>* 62.104.56.0/24 is directly connected, eth0, 03:21:53
+  C>* 192.168.0.1/32 is directly connected, lo, 03:21:56
+  B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07
+    *                       via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07
+
+.. code-block:: none
+
+  vyos@vyos:~$ ping 192.168.0.2
+  PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
+  64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.575 ms
+  64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.628 ms
+  64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.581 ms
+  64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.682 ms
+  64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.597 ms
+
+  --- 192.168.0.2 ping statistics ---
+  5 packets transmitted, 5 received, 0% packet loss, time 4086ms
+  rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip bgp summary
+
+  IPv4 Unicast Summary:
+  BGP router identifier 192.168.0.1, local AS number 65020 vrf-id 0
+  BGP table version 4
+  RIB entries 5, using 800 bytes of memory
+  Peers 2, using 41 KiB of memory
+  Peer groups 1, using 64 bytes of memory
+
+  Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
+  eth1            4      65021      13      13        0    0    0 00:05:33            2
+  eth2            4      65021      13      14        0    0    0 00:05:29            2
+
+  Total number of neighbors 2
+
+- Router B:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show interfaces
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  eth0             62.104.XXX.XXX/24                 u/u
+  eth1             -                                 u/u
+  eth2             -                                 u/u
+  lo               127.0.0.1/8                       u/u
+                   192.168.0.2/32
+                   ::1/128
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip route
+  Codes: K - kernel route, C - connected, S - static, R - RIP,
+         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+         T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+         F - PBR, f - OpenFabric,
+         > - selected route, * - FIB route
+
+  S>* 0.0.0.0/0 [210/0] via 62.104.XXX.XXX, eth0, 00:44:08
+  C>* 62.104.56.0/24 is directly connected, eth0, 00:44:09
+  B>* 192.168.0.1/32 [20/0] via fe80::a00:27ff:fe2d:205d, eth1, 00:06:18
+    *                       via fe80::a00:27ff:fe93:e142, eth2, 00:06:18
+  C>* 192.168.0.2/32 is directly connected, lo, 00:44:11
+
+.. code-block:: none
+
+  vyos@vyos:~$ ping 192.168.0.1
+  PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
+  64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.427 ms
+  64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.471 ms
+  64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.782 ms
+  64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.715 ms
+
+  --- 192.168.0.1 ping statistics ---
+  4 packets transmitted, 4 received, 0% packet loss, time 3051ms
+  rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip bgp summary
+  IPv4 Unicast Summary:
+  BGP router identifier 192.168.0.2, local AS number 65021 vrf-id 0
+  BGP table version 4
+  RIB entries 5, using 800 bytes of memory
+  Peers 2, using 41 KiB of memory
+  Peer groups 1, using 64 bytes of memory
+
+  Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
+  eth1            4      65020      14      14        0    0    0 00:06:40            2
+  eth2            4      65020      14      14        0    0    0 00:06:37            2
+
+  Total number of neighbors 2
+
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
new file mode 100644
index 00000000..f94eb67f
--- /dev/null
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -0,0 +1,77 @@
+.. _examples-dhcp-relay-through-gre-bridge:
+
+
+DHCP Relay through GRE-Bridge
+-----------------------------
+
+Diagram
+^^^^^^^
+
+.. image:: /_static/images/dhcp-relay-through-gre-bridge.png
+   :width: 80%
+   :align: center
+   :alt: Network Topology Diagram
+
+Configuration
+^^^^^^^^^^^^^
+
+DHCP Server
+"""""""""""
+
+.. code-block:: none
+
+   set interfaces ethernet eth0 address '10.0.2.1/24'
+   set interfaces loopback lo address '3.3.3.3/24'
+   set interfaces tunnel tun100 address '172.16.0.2/30'
+   set interfaces tunnel tun100 encapsulation 'gre-bridge'
+   set interfaces tunnel tun100 local-ip '10.0.2.1'
+   set interfaces tunnel tun100 remote-ip '192.168.0.1'
+   set protocols ospf area 0 network '3.3.3.0/24'
+   set protocols ospf area 0 network '10.0.2.0/24'
+   set protocols ospf parameters router-id '3.3.3.3'
+   set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100
+   set service dhcp-server shared-network-name asdf authoritative
+   set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 start '3.3.3.30'
+   set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 stop '3.3.3.40'
+   set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 default-router '10.0.1.2'
+   set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 start '10.0.1.200'
+   set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 stop '10.0.1.210'
+   set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 start '10.2.1.222'
+   set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 stop '10.2.1.233'
+   set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 start '172.16.0.1'
+   set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 stop '172.16.0.2'
+   
+
+In-Between Router
+"""""""""""""""""
+
+.. code-block:: none
+
+   set interfaces ethernet eth0 address '192.168.0.2/24'
+   set interfaces ethernet eth1 address '10.0.2.2/24'
+   set protocols ospf area 0 network '192.168.0.0/24'
+   set protocols ospf area 0 network '10.0.2.0/24'
+   set protocols ospf parameters router-id '192.168.0.2'
+   
+
+DHCP Relay
+""""""""""
+
+.. code-block:: none
+
+   set interfaces ethernet eth0 address '10.0.1.2/24'
+   set interfaces ethernet eth1 address '192.168.0.1/24'
+   set interfaces loopback lo address '1.1.1.1'
+   set interfaces tunnel tun100 address '172.16.0.1/30'
+   set interfaces tunnel tun100 encapsulation 'gre-bridge'
+   set interfaces tunnel tun100 local-ip '192.168.0.1'
+   set interfaces tunnel tun100 remote-ip '10.0.2.1'
+   set protocols ospf area 0 network '10.0.1.0/24'
+   set protocols ospf area 0 network '192.168.0.0/24'
+   set protocols ospf area 0 network '1.1.1.0/24'
+   set protocols ospf parameters router-id '1.1.1.1'
+   set protocols static interface-route 3.3.3.3/32 next-hop-interface tun100
+   set service dhcp-relay interface 'eth0'
+   set service dhcp-relay interface 'tun100'
+   set service dhcp-relay server '3.3.3.3'
+   
diff --git a/docs/configexamples/dmvpn.rst b/docs/configexamples/dmvpn.rst
new file mode 100644
index 00000000..30ca8e86
--- /dev/null
+++ b/docs/configexamples/dmvpn.rst
@@ -0,0 +1,106 @@
+
+.. _examples-dmvpn:
+
+VyOS DMVPN Hub
+--------------
+
+General infomration can be found in the :ref:`vpn-dmvpn` chapter.
+
+Configuration
+^^^^^^^^^^^^^
+
+.. code-block:: none
+
+  set interfaces tunnel tun100 address '172.16.253.134/29'
+  set interfaces tunnel tun100 encapsulation 'gre'
+  set interfaces tunnel tun100 local-ip '11.22.33.44'
+  set interfaces tunnel tun100 multicast 'enable'
+  set interfaces tunnel tun100 parameters ip key '1'
+
+  set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>'
+  set protocols nhrp tunnel tun100 holding-time '300'
+  set protocols nhrp tunnel tun100 multicast 'dynamic'
+  set protocols nhrp tunnel tun100 redirect
+  set protocols nhrp tunnel tun100 shortcut
+
+  set vpn ipsec esp-group ESP-HUB compression 'disable'
+  set vpn ipsec esp-group ESP-HUB lifetime '1800'
+  set vpn ipsec esp-group ESP-HUB mode 'tunnel'
+  set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+  set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+  set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
+  set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
+  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
+  set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-HUB lifetime '3600'
+  set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+  set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+  set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
+  set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
+  set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+  set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+  set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>'
+  set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+  set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+  set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+Cisco IOS Spoke
+^^^^^^^^^^^^^^^
+
+This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and
+VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).
+
+.. code-block:: none
+
+  Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
+  Technical Support: http://www.cisco.com/techsupport
+  Copyright (c) 1986-2014 by Cisco Systems, Inc.
+  Compiled Fri 12-Sep-14 10:45 by prod_rel_team
+
+  ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
+
+Use this configuration on your Cisco device:
+
+.. code-block:: none
+
+  crypto pki token default removal timeout 0
+  crypto keyring DMVPN
+    pre-shared-key address 1.2.3.4 key <secretkey>
+  !
+  crypto isakmp policy 10
+   encr aes 256
+   authentication pre-share
+   group 2
+  !
+  crypto isakmp invalid-spi-recovery
+  crypto isakmp keepalive 30 30 periodic
+  crypto isakmp profile DMVPN
+     keyring DMVPN
+     match identity address 11.22.33.44 255.255.255.255
+  !
+  crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
+   mode transport
+  !
+  crypto ipsec profile DMVPN
+   set security-association idle-time 720
+   set transform-set DMVPN-AES256
+   set isakmp-profile DMVPN
+  !
+  interface Tunnel10
+   description Tunnel to DMVPN HUB
+   ip address 172.16.253.129 255.255.255.248
+   no ip redirects
+   ip nhrp authentication <nhrp secret key>
+   ip nhrp map multicast 11.22.33.44
+   ip nhrp map 172.16.253.134 11.22.33.44
+   ip nhrp network-id 1
+   ip nhrp holdtime 600
+   ip nhrp nhs 172.16.253.134
+   ip nhrp registration timeout 75
+   tunnel source Dialer1
+   tunnel mode gre multipoint
+   tunnel key 1
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst
new file mode 100644
index 00000000..073bc125
--- /dev/null
+++ b/docs/configexamples/index.rst
@@ -0,0 +1,19 @@
+.. _examples:
+
+Configuration Blueprints
+========================
+
+This chapter contains various configuration examples:
+
+.. toctree::
+   :maxdepth: 2
+
+   dhcp-relay-through-gre-bridge
+   zone-policy
+   bgp-ipv6-unnumbered
+   ospf-unnumbered
+   azure-vpn-bgp
+   azure-vpn-dual-bgp
+   tunnelbroker-ipv6
+   wan-load-balancing
+   dmvpn
diff --git a/docs/configexamples/ospf-unnumbered.rst b/docs/configexamples/ospf-unnumbered.rst
new file mode 100644
index 00000000..84fc691e
--- /dev/null
+++ b/docs/configexamples/ospf-unnumbered.rst
@@ -0,0 +1,125 @@
+.. _examples-ospf-unnumbered:
+
+VyOS OSPF unnumbered with ecmp
+----------------------------------------------
+
+General infomration can be found in the :ref:`routing-ospf` chapter.
+
+Configuration
+^^^^^^^^^^^^^
+
+- Router A:
+
+.. code-block:: none
+
+  set interfaces ethernet eth0 address '10.0.0.1/24'
+  set interfaces ethernet eth1 address '192.168.0.1/32'
+  set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword'
+  set interfaces ethernet eth1 ip ospf network 'point-to-point'
+  set interfaces ethernet eth2 address '192.168.0.1/32'
+  set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword'
+  set interfaces ethernet eth2 ip ospf network 'point-to-point'
+  set interfaces loopback lo address '192.168.0.1/32'
+  set protocols ospf area 0.0.0.0 authentication 'md5'
+  set protocols ospf area 0.0.0.0 network '192.168.0.1/32'
+  set protocols ospf parameters router-id '192.168.0.1'
+  set protocols ospf redistribute connected
+
+- Router B:
+
+.. code-block:: none
+
+  set interfaces ethernet eth0 address '10.0.0.2/24'
+  set interfaces ethernet eth1 address '192.168.0.2/32'
+  set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword'
+  set interfaces ethernet eth1 ip ospf network 'point-to-point'
+  set interfaces ethernet eth2 address '192.168.0.2/32'
+  set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword'
+  set interfaces ethernet eth2 ip ospf network 'point-to-point'
+  set interfaces loopback lo address '192.168.0.2/32'
+  set protocols ospf area 0.0.0.0 authentication 'md5'
+  set protocols ospf area 0.0.0.0 network '192.168.0.2/32'
+  set protocols ospf parameters router-id '192.168.0.2'
+  set protocols ospf redistribute connected
+
+
+Results
+^^^^^^^^^^^^^
+
+- Router A:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show interfaces 
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  eth0             10.0.0.1/24                       u/u  
+  eth1             192.168.0.1/32                    u/u  
+  eth2             192.168.0.1/32                    u/u  
+  lo               127.0.0.1/8                       u/u  
+                   192.168.0.1/32
+                   ::1/128
+  vyos@vyos:~$ 
+
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip route 
+  Codes: K - kernel route, C - connected, S - static, R - RIP,
+         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+         T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+         F - PBR, f - OpenFabric,
+         > - selected route, * - FIB route, q - queued route, r - rejected route
+  
+  S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34
+  O   10.0.0.0/24 [110/20] via 192.168.0.2, eth1 onlink, 00:13:21
+                              via 192.168.0.2, eth2 onlink, 00:13:21
+  C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35
+  O   192.168.0.1/32 [110/0] is directly connected, lo, 00:48:53
+  C * 192.168.0.1/32 is directly connected, eth2, 00:56:31
+  C * 192.168.0.1/32 is directly connected, eth1, 00:56:31
+  C>* 192.168.0.1/32 is directly connected, lo, 00:57:36
+  O>* 192.168.0.2/32 [110/1] via 192.168.0.2, eth1 onlink, 00:29:03
+    *                        via 192.168.0.2, eth2 onlink, 00:29:03
+  vyos@vyos:~$ 
+
+
+- Router B:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show interfaces 
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  eth0             10.0.0.2/24                       u/u  
+  eth1             192.168.0.2/32                    u/u  
+  eth2             192.168.0.2/32                    u/u  
+  lo               127.0.0.1/8                       u/u  
+                   192.168.0.2/32
+                   ::1/128
+  vyos@vyos:~$ 
+
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ip route 
+  Codes: K - kernel route, C - connected, S - static, R - RIP,
+         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+         T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+         F - PBR, f - OpenFabric,
+         > - selected route, * - FIB route, q - queued route, r - rejected route
+  
+  S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34
+  O   10.0.0.0/24 [110/20] via 192.168.0.1, eth1 onlink, 00:13:21
+                              via 192.168.0.1, eth2 onlink, 00:13:21
+  C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35
+  O   192.168.0.2/32 [110/0] is directly connected, lo, 00:48:53
+  C * 192.168.0.2/32 is directly connected, eth2, 00:56:31
+  C * 192.168.0.2/32 is directly connected, eth1, 00:56:31
+  C>* 192.168.0.2/32 is directly connected, lo, 00:57:36
+  O>* 192.168.0.1/32 [110/1] via 192.168.0.1, eth1 onlink, 00:29:03
+    *                        via 192.168.0.1, eth2 onlink, 00:29:03
+  vyos@vyos:~$ 
+
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
new file mode 100644
index 00000000..ca3921ec
--- /dev/null
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -0,0 +1,151 @@
+.. _examples-tunnelbroker-ipv6:
+
+VyOS Tunnelbroker.net IPv6
+--------------------------
+
+This guides walks through the setup of `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ for an IPv6 Tunnel.  
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A public IP address.  This does not necessarily need to be static, but you will need to update the tunnel endpoint when/if your IP address changes, which can be done with a script and a scheduled task.
+- An account at `Tunnelbroker.net <https://www.tunnelbroker.net/>`_.
+- Requested a "Regular Tunnel".  You want to choose a location that is closest to your physical location for the best response time.
+
+Setting up the initial tunnel
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page.
+
+.. code-block:: none
+
+    conf
+    set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker    # This will be your VyOS install's public IPv6 address
+    set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel'
+    set interfaces tunnel tun0 encapsulation 'sit'
+    set interfaces tunnel tun0 local-ip Client_IPv4_from_Tunnelbroker   # This is your public IP
+    set interfaces tunnel tun0 mtu '1472'
+    set interfaces tunnel tun0 multicast 'disable'
+    set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker  # This is the IP of the Tunnelbroker server
+    set protocols static interface-route6 ::/0 next-hop-interface tun0  # Tell all traffic to go over this tunnel
+    commit
+
+- If your WAN connection is over PPPoE, you may need to set the MTU on the above tunnel lower than 1472.
+
+- At this point you should be able to ping an IPv6 address. Try pinging Google:
+
+.. code-block:: none
+
+   ping6 -c2 2001:4860:4860::8888
+
+   64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=21.7 ms
+   64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=21.1 ms
+
+   --- 2001:4860:4860::8888 ping statistics ---
+   2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+   rtt min/avg/max/mdev = 21.193/21.459/21.726/0.304 ms
+
+- Assuming the pings are successful, you need to add some DNS servers. Some options:
+
+.. code-block:: none
+
+   set system name-server 2001:4860:4860::8888  # Google
+   set system name-server 2001:4860:4860::8844  # Google
+   set system name-server 2606:4700:4700::1111  # Cloudflare
+   set system name-server 2606:4700:4700::1001  # Cloudflare
+   commit
+
+- You should now be able to ping something by IPv6 DNS name:
+
+.. code-block:: none
+
+   # ping6 -c2 one.one.one.one
+   PING one.one.one.one(one.one.one.one) 56 data bytes
+   64 bytes from one.one.one.one: icmp_seq=1 ttl=58 time=16.8 ms
+   64 bytes from one.one.one.one: icmp_seq=2 ttl=58 time=17.4 ms
+
+   --- one.one.one.one ping statistics ---
+   2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+   rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
+
+-  Assuming everything works, you can proceed to client configuration
+
+LAN Configuration
+^^^^^^^^^^^^^^^^^
+
+At this point your VyOS install should have full IPv6, but now your LAN devices need access.
+
+With Tunnelbroker.net, you have two options:
+
+- Routed /64. This is the default assignment.  In IPv6-land, it's good for a single "LAN", and is somewhat equivalent to a /24.  Example: `2001:470:xxxx:xxxx::/64`
+- Routed /48. This is something you can request by clicking the "Assign /48" link in the Tunnelbroker.net tunnel config.  It allows you to have up to 65k LANs. Example: `2001:470:xxxx::/48` 
+
+Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64.  So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that.  
+
+Single LAN Setup
+^^^^^^^^^^^^^^^^
+
+Single LAN setup where eth1 is your LAN interface.  Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel):
+
+.. code-block:: none
+
+   set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64'    
+   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
+   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 autonomous-flag 'true'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 on-link-flag 'true'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 valid-lifetime '2592000'
+
+
+- This accomplishes a few things:
+
+  - Sets your LAN interface's IP address
+  - Enables router advertisements.  This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS. 
+
+Multiple LAN/DMZ Setup
+^^^^^^^^^^^^^^^^^^^^^^
+
+In this, you use the `Routed /48` information. This allows you to assign a different /64 to every interface, LAN, or even device.  Or you could break your network into smaller chunks like /56 or /60.
+
+The format of these addresses:
+
+- `2001:470:xxxx::/48`: The whole subnet.  xxxx should come from Tunnelbroker.
+- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN
+- `2001:470:xxxx:2::/64`: Another subnet
+- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet.
+
+In the above examples, 1,2,ffff are all chosen by you.  You can use 1-ffff (1-65535). 
+
+So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
+
+.. code-block:: none
+
+   set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'
+   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
+   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 autonomous-flag 'true'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 on-link-flag 'true'
+   set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 valid-lifetime '2592000'
+
+   set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64'
+   set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8888'
+   set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8844'
+   set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 autonomous-flag 'true'
+   set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 on-link-flag 'true'
+   set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 valid-lifetime '2592000'
+
+   set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64'
+   set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8888'
+   set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8844'
+   set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 autonomous-flag 'true'
+   set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 on-link-flag 'true'
+   set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 valid-lifetime '2592000'
+
+Firewall
+^^^^^^^^
+
+Finally, don't forget the :ref:`firewall`.  The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. 
+
+Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall ipv6-name`
+
+
diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst
new file mode 100644
index 00000000..7093defe
--- /dev/null
+++ b/docs/configexamples/wan-load-balancing.rst
@@ -0,0 +1,170 @@
+.. _wan-load-balancing:
+
+WAN Load Balancer examples
+==========================
+
+
+Example 1: Distributing load evenly
+-----------------------------------
+
+The setup used in this example is shown in the following diagram:
+
+.. image:: /_static/images/Wan_load_balancing1.png
+   :width: 80%
+   :align: center
+   :alt: Network Topology Diagram
+
+
+Overview
+^^^^^^^^
+ * All traffic coming in trough eth2 is balanced between eth0 and eth1
+   on the router.
+ * Pings will be sent to four targets for health testing (33.44.55.66,
+   44.55.66.77, 55.66.77.88 and 66.77.88.99).
+ * All outgoing packets are assigned the source address of the assigned
+   interface (SNAT).
+ * eth0 is set to be removed from the load balancer's interface pool
+   after 5 ping failures, eth1 will be removed after 4 ping failures.
+
+Create static routes to ping targets
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Create static routes through the two ISPs towards the ping targets and
+commit the changes:
+
+.. code-block:: none
+
+   set protocols static route 33.44.55.66/32 next-hop 11.22.33.1
+   set protocols static route 44.55.66.77/32 next-hop 11.22.33.1 
+   set protocols static route 55.66.77.88/32 next-hop 22.33.44.1
+   set protocols static route 66.77.88.99/32 next-hop 22.33.44.1
+
+Configure the load balancer
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Configure the WAN load balancer with the parameters described above:
+
+.. code-block:: none
+
+   set load-balancing wan interface-health eth0 failure-count 5
+   set load-balancing wan interface-health eth0 nexthop 11.22.33.1
+   set load-balancing wan interface-health eth0 test 10 type ping
+   set load-balancing wan interface-health eth0 test 10 target 33.44.55.66
+   set load-balancing wan interface-health eth0 test 20 type ping
+   set load-balancing wan interface-health eth0 test 20 target 44.55.66.77
+   set load-balancing wan interface-health eth1 failure-count 4
+   set load-balancing wan interface-health eth1 nexthop 22.33.44.1
+   set load-balancing wan interface-health eth1 test 10 type ping
+   set load-balancing wan interface-health eth1 test 10 target 55.66.77.88
+   set load-balancing wan interface-health eth1 test 20 type ping
+   set load-balancing wan interface-health eth1 test 20 target 66.77.88.99
+   set load-balancing wan rule 10 inbound-interface eth2
+   set load-balancing wan rule 10 interface eth0
+   set load-balancing wan rule 10 interface eth1
+
+Example 2: Failover based on interface weights
+----------------------------------------------
+
+This examples uses the failover mode.
+
+Overview
+^^^^^^^^
+In this example eth0 is the primary interface and eth1 is the secondary
+interface to provide simple failover functionality. If eth0 fails, eth1
+takes over.
+
+Create interface weight based configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The configuration steps are the same as in the previous example, except
+rule 10 so we keep the configuration, remove rule 10 and add a new rule
+for the failover mode:
+
+.. code-block:: none
+
+   delete load-balancing wan rule 10
+   set load-balancing wan rule 10 failover
+   set load-balancing wan rule 10 inbound-interface eth2
+   set load-balancing wan rule 10 interface eth0 weight 10
+   set load-balancing wan rule 10 interface eth1 weight 1
+
+Example 3: Failover based on rule order
+---------------------------------------
+
+The previous example used the failover command to send traffic thorugh
+eth1 if eth0 fails. In this example failover functionality is provided
+by rule order.
+
+Overview
+^^^^^^^^
+Two rules will be created, the first rule directs traffic coming in
+from eth2 to eth0 and the second rule directs the traffic to eth1. If
+eth0 fails the first rule is bypassed and the second rule matches,
+directing traffic to eth1.
+
+Create rule order based configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+We keep the configurtation from the previous example, delete rule 10
+and create the two new rules as described:
+
+.. code-block:: none
+
+   delete load-balancing wan rule 10
+   set load-balancing wan rule 10 inbound-interface eth2
+   set load-balancing wan rule 10 interface eth0
+   set load-balancing wan rule 20 inbound-interface eth2
+   set load-balancing wan rule 20 interface eth1
+
+Example 4: Failover based on rule order - priority traffic
+----------------------------------------------------------
+
+A rule order for prioritising traffic is useful in scenarios where the
+secondary link has a lower speed and should only carry high priority
+traffic. It is assumed for this example that eth1 is connected to a
+slower connection than eth0 and should prioritise VoIP traffic.
+
+Overview
+^^^^^^^^
+A rule order for prioritising traffic is useful in scenarios where the
+secondary link has a lower speed and should only carry high priority
+traffic. It is assumed for this example that eth1 is connected to a
+slower connection than eth0 and should prioritise VoIP traffic. 
+
+Create rule order based configuration with low speed secondary link
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+We keep the configuration from the previous example, delete rule 20 and
+create a new rule as described: 
+
+.. code-block:: none
+
+   delete load-balancing wan rule 20
+   set load-balancing wan rule 20 inbound-interface eth2
+   set load-balancing wan rule 20 interface eth1
+   set load-balancing wan rule 20 destination port sip
+   set load-balancing wan rule 20 protocol tcp
+   set protocols static route 0.0.0.0/0 next-hop 11.22.33.1
+
+Example 5: Exclude traffic from load balancing
+----------------------------------------------
+
+In this example two LAN interfaces exist in different subnets instead
+of one like in the previous examples:
+
+.. image:: /_static/images/Wan_load_balancing_exclude1.png                      
+   :width: 80%                                                          
+   :align: center                                                       
+   :alt: Network Topology Diagram 
+
+Adding a rule for the second interface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Based on the previous example, another rule for traffic from the second
+interface eth3 can be added to the load balancer. However, traffic meant
+to flow between the LAN subnets will be sent to eth0 and eth1 as well.
+To prevent this, another rule is required. This rule excludes traffic
+between the local subnets from the load balancer. It also excludes
+locally-sources packets (required for web caching with load balancing).
+eth+ is used as an alias that refers to all ethernet interfaces:
+
+.. code-block:: none
+
+   set load-balancing wan rule 5 exclude
+   set load-balancing wan rule 5 inbound-interface eth+
+   set load-balancing wan rule 5 destination address 10.0.0.0/8
diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst
new file mode 100644
index 00000000..7a25d063
--- /dev/null
+++ b/docs/configexamples/zone-policy.rst
@@ -0,0 +1,379 @@
+.. _examples-zone-policy:
+
+Zone-Policy example
+-------------------
+
+Native IPv4 and IPv6
+^^^^^^^^^^^^^^^^^^^^
+
+We have three networks.
+
+.. code-block:: none
+
+  WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64
+  LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64
+  DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64
+
+
+This specific example is for a router on a stick, but is very easily adapted
+for however many NICs you have.
+
+[http://imgur.com/Alz1J.png Topology Image]
+
+The VyOS interface is assigned the .1/:1 address of their respective networks.
+WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30.
+
+It will look something like this:
+
+.. code-block:: none
+
+  interfaces {
+      ethernet eth0 {
+          duplex auto
+          hw-id 00:0c:29:6e:2a:92
+          smp_affinity auto
+          speed auto
+          vif 10 {
+              address 172.16.10.1/24
+              address 2001:db8:0:9999::1/64
+          }
+          vif 20 {
+              address 192.168.100.1/24
+              address 2001:db8:0:AAAA::1/64
+          }
+          vif 30 {
+              address 192.168.200.1/24
+              address 2001:db8:0:BBBB::1/64
+          }
+      }
+      loopback lo {
+      }
+  }
+
+
+Zones Basics
+^^^^^^^^^^^^
+
+Each interface is assigned to a zone. The interface can be physical or virtual
+such as tunnels (VPN, pptp, gre, etc) and are treated exactly the same.
+
+Traffic flows from zone A to zone B. That flow is what I refer to as a
+zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations.
+
+Ruleset are created per zone-pair-direction.
+
+I name rule sets to indicate which zone-pair-direction they represent. eg.
+ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN.
+
+In VyOS, you have to have unique Ruleset names. In the event of overlap, I
+add a "-6" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for
+each auto-completion and uniqueness.
+
+In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the
+firewall itself.
+
+If your computer is on the LAN and you need to SSH into your VyOS box, you
+would need a rule to allow it in the LAN-Local ruleset. If you want to access
+a webpage from your VyOS box, you need a rule to allow it in the Local-LAN
+ruleset.
+
+In rules, it is good to keep them named consistently. As the number of rules
+you have grows, the more consistency you have, the easier your life will be.
+
+.. code-block:: none
+
+  Rule 1 - State Established, Related
+  Rule 2 - State Invalid
+  Rule 100 - ICMP
+  Rule 200 - Web
+  Rule 300 - FTP
+  Rule 400 - NTP
+  Rule 500 - SMTP
+  Rule 600 - DNS
+  Rule 700 - DHCP
+  Rule 800 - SSH
+  Rule 900 - IMAPS
+
+The first two rules are to deal with the idiosyncrasies of VyOS and iptables.
+
+Zones and Rulesets both have a default action statement. When using
+Zone-Policies, the default action is set by the zone-policy statement and is
+represented by rule 10000.
+
+It is good practice to log both accepted and denied traffic. It can save you
+significant headaches when trying to troubleshoot a connectivity issue.
+
+To add logging to the default rule, do:
+
+.. code-block:: none
+
+  set firewall name <ruleSet> enable-default-log
+
+
+By default, iptables does not allow traffic for established session to return,
+so you must explicitly allow this. I do this by adding two rules to every
+ruleset. 1 allows established and related state packets through and rule 2
+drops and logs invalid state packets. We place the established/related rule at
+the top because the vast majority of traffic on a network is established and
+the invalid rule to prevent invalid state packets from mistakenly being matched
+against other rules. Having the most matched rule listed first reduces CPU load
+in high volume environments. Note: I have filed a bug to have this added as a
+default action as well.
+
+''It is important to note, that you do not want to add logging to the
+established state rule as you will be logging both the inbound and outbound
+packets for each session instead of just the initiation of the session.
+Your logs will be massive in a very short period of time.''
+
+In VyOS you must have the interfaces created before you can apply it to the
+zone and the rulesets must be created prior to applying it to a zone-policy.
+
+I create/configure the interfaces first. Build out the rulesets for each
+zone-pair-direction which includes at least the three state rules. Then I setup
+the zone-policies.
+
+Zones do not allow for a default action of accept; either drop or reject.
+It is important to remember this because if you apply an interface to a zone
+and commit, any active connections will be dropped. Specifically, if you are
+SSH’d into VyOS and add local or the interface you are connecting through to a
+zone and do not have rulesets in place to allow SSH and established sessions,
+you will not be able to connect.
+
+The following are the rules that were created for this example
+(may not be complete), both in IPv4 and IPv6. If there is no IP specified,
+then the source/destination address is not explicit.
+
+.. code-block:: none
+
+  WAN – DMZ:192.168.200.200 – tcp/80
+  WAN – DMZ:192.168.200.200 – tcp/443
+  WAN – DMZ:192.168.200.200 – tcp/25
+  WAN – DMZ:192.168.200.200 – tcp/53
+  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80
+  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443
+  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25
+  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53
+
+  DMZ - Local - tcp/53
+  DMZ - Local - tcp/123
+  DMZ - Local - tcp/67,68
+
+  LAN - Local - tcp/53
+  LAN - Local - tcp/123
+  LAN - Local - tcp/67,68
+  LAN:192.168.100.10 - Local - tcp/22
+  LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22
+
+  LAN - WAN - tcp/80
+  LAN - WAN - tcp/443
+  LAN - WAN - tcp/22
+  LAN - WAN - tcp/20,21
+
+  DMZ - WAN - tcp/80
+  DMZ - WAN - tcp/443
+  DMZ - WAN - tcp/22
+  DMZ - WAN - tcp/20,21
+  DMZ - WAN - tcp/53
+  DMZ - WAN - udp/53
+
+  Local - WAN - tcp/80
+  Local - WAN - tcp/443
+  Local - WAN - tcp/20,21
+
+  Local - DMZ - tcp/25
+  Local - DMZ - tcp/67,68
+  Local - DMZ - tcp/53
+  Local - DMZ - udp/53
+
+  Local - LAN - tcp/67,68
+
+  LAN - DMZ - tcp/80
+  LAN - DMZ - tcp/443
+  LAN - DMZ - tcp/993
+  LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22
+  LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22
+
+Since we have 4 zones, we need to setup the following rulesets.
+
+.. code-block:: none
+
+  Lan-wan
+  Lan-local
+  Lan-dmz
+  Wan-lan
+  Wan-local
+  Wan-dmz
+  Local-lan
+  Local-wan
+  Local-dmz
+  Dmz-lan
+  Dmz-wan
+  Dmz-local
+
+Even if the two zones will never communicate, it is a good idea to create the
+zone-pair-direction rulesets and set enable-default-log. This will allow you to
+log attempts to access the networks. Without it, you will never see the
+connection attempts.
+
+This is an example of the three base rules.
+
+.. code-block:: none
+
+  name wan-lan {
+    default-action drop
+    enable-default-log
+    rule 1 {
+      action accept
+      state {
+        established enable
+        related enable
+      }
+    }
+    rule 2 {
+      action drop
+      log enable
+      state {
+        invalid enable
+      }
+    }
+  }
+
+
+Here is an example of an IPv6 DMZ-WAN ruleset.
+
+.. code-block:: none
+
+  ipv6-name dmz-wan-6 {
+    default-action drop
+    enable-default-log
+    rule 1 {
+      action accept
+      state {
+        established enable
+        related enable
+      }
+    }
+    rule 2 {
+      action drop
+      log enable
+      state {
+        invalid enable
+    }
+    rule 100 {
+      action accept
+      log enable
+      protocol ipv6-icmp
+    }
+    rule 200 {
+      action accept
+      destination {
+        port 80,443
+      }
+      log enable
+      protocol tcp
+    }
+    rule 300 {
+      action accept
+      destination {
+        port 20,21
+      }
+      log enable
+      protocol tcp
+    }
+    rule 500 {
+      action accept
+      destination {
+        port 25
+      }
+      log enable
+      protocol tcp
+      source {
+        address 2001:db8:0:BBBB::200
+      }
+    }
+    rule 600 {
+      action accept
+      destination {
+        port 53
+      }
+      log enable
+      protocol tcp_udp
+      source {
+        address 2001:db8:0:BBBB::200
+      }
+    }
+    rule 800 {
+      action accept
+      destination {
+      port 22
+      }
+      log enable
+      protocol tcp
+    }
+  }
+
+Once you have all of your rulesets built, then you need to create your
+zone-policy.
+
+Start by setting the interface and default action for each zone.
+
+.. code-block:: none
+
+  set zone-policy zone dmz default-action drop
+  set zone-policy zone dmz interface eth0.30
+
+In this case, we are setting the v6 ruleset that represents traffic sourced
+from the LAN, destined for the DMZ.
+Because the zone-policy firewall syntax is a little awkward, I keep it straight
+by thinking of it backwards.
+
+ set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6
+
+dmz-lan policy is lan-dmz. You can get a rhythm to it when you build out a bunch at one time.
+
+In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is.
+== IPv6 Tunnel ==
+
+If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interface. One for v4 and one for v6.
+
+You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN.
+
+LAN, WAN, DMZ, local and TUN (tunnel)
+
+v6 pairs would be:
+
+.. code-block:: none
+
+  lan-tun
+  lan-local
+  lan-dmz
+  tun-lan
+  tun-local
+  tun-dmz
+  local-lan
+  local-tun
+  local-dmz
+  dmz-lan
+  dmz-tun
+  dmz-local
+
+Notice, none go to WAN since WAN wouldn't have a v6 address on it.
+
+You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in.
+
+Something like:
+
+.. code-block:: none
+
+  rule 400 {
+    action accept
+    destination {
+      address 172.16.10.1
+    }
+    log enable
+    protocol 41
+    source {
+      address ip.of.tunnel.broker
+    }
+  }
+